Certificate autoenrollment POC #743
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a POC that leverages the samba implementation of certificate autoenrollment. It contains a few patches and fixes on top of the samba#master version of the `gp_cert_auto_enroll_ext.py` file, that will ultimately be upstreamed. Autoenrollment is performed via a separate policy manager that runs a helper Python script (`cert-autoenroll`) which communicates with the Windows CEP/CES services through Samba. For better control and to avoid unexpected behavior we vendor the required Samba files, which are confirmed to work on all Ubuntu versions starting with (and including) Jammy (22.04). Samba has its own cache mechanism which stores information concerning the applied GPOs which we are using in order to ensure idempotency. This is a crude implementation in the sense that we let Samba directly parse the freshly downloaded `Registry.pol` files from the DC. This operation is unreliable and prone to races since the cached pol files can be overwritten by subsequent runs of adsys (e.g. another user applies their policies), so the ulimate goal is to perform the GPO parsing process within adsys (using the mmapped files) and defer to Samba for the CA download and certificate request processes. This work will remain unmerged, to reflect its proof-of-concept status, and subsequent work will take place in separate PRs. Fixes UDENG-850
Similar to the adsys-gpolist, provide a way for users to dump the certificate autoenrollment script for debugging purposes.
|
Closed in favor of #745 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a POC that leverages the samba implementation of certificate autoenrollment. It contains a few patches and fixes on top of the samba#master version of the
gp_cert_auto_enroll_ext.pyfile, that will ultimately be upstreamed.Autoenrollment is performed via a separate policy manager that runs a helper Python script (
cert-autoenroll) which communicates with the Windows CEP/CES services through Samba. For better control and to avoidunexpected behavior we vendor the required Samba files, which are confirmed to work on all Ubuntu versions starting with (and including) Jammy (22.04).
Samba has its own cache mechanism which stores information concerning the applied GPOs which we are using in order to ensure idempotency.
This is a crude implementation in the sense that we let Samba directly parse the freshly downloaded
Registry.polfiles from the DC. This operation is unreliable and prone to races since the cached pol files can be overwritten by subsequent runs of adsys (e.g. another user applies their policies), so the ulimate goal is to perform the GPO parsing process within adsys (using the mmapped files) and defer to Samba for the CA download and certificate request processes.This work will remain unmerged, to reflect its proof-of-concept status, and subsequent work will take place in separate PRs.
Fixes UDENG-850